Establishing Digital Trust: Don't Sacrifice Security for Convenience
I think small e-commerce entrepreneurs like me are especially vulnerable to online scams and "phishing" expeditions because you reach the point where you think you've seen it all. After all, online scams are as ubiquitous as spam.
That was what I thought until I received an e-mail with a header that read, "Thanks for ordering flowers!" Since I'm in the flower business, I buy flowers all the time -- so I opened the e-mail to find this:
"Dear AOL Member,
There has been a purchase added to your AOL account on September 29th, 2003. This purchase took place at 1-800-Flowers.com. If this order was unauthorized and you would like to cancel, please Click Here. Below is listed information about your order: Product - Love's Embrace Roses.
Price - $29.99
Shipment Type - 3-5 Day Ground
Shipping and Handling - $7.99
Total Price - $37.98
Click here to modify your order."
Thirty-two dozen roses for $29.99? I think not. That was the big tip-off.
Clearly I had not ordered flowers, so the first thing I did, rather than click through to any of the links provided, was to check my AOL account. (I know, I know, but like many small business owners, I'm a loyal user and AOL works for me.)
Of course, no flower purchase was recorded. And although 1-800-Flowers.com is in fact an AOL e-commerce partner, purchases made there through AOL are paid via credit card, not billed to one's AOL account. But lots and lots of AOL account holders were targeted by this scam.
Ken Young, a spokesman for 1-800-Flowers.com, said that as I suspected, this scam was merely a phishing expedition to get nervous AOL users to cough up account data, passwords and credit card numbers. If a consumer clicks through on the links in the e-mail, he or she is directed to a phony 1-800-Flowers.com Web site where they are enticed to surrender their data.
"Different versions pop up periodically," he said. "AOL describes it as being like that Whack a Mole game."
"We are helping AOL, and we let AOL know if (this scam) comes up," Young said. "They (the perpetrators of this attempt to defraud online users) are drafting off our brand name and recognition factor to lend credence to their efforts."
For its part, America Online says that genuine AOL correspondence will always have a blue envelope icon, a blue border and the AOL seal. Also the AOL staff will never ask for a password or billing information. Neither does eBay or PayPal. AOL says its working hard to find the spammers and stop the scam and others like it.
AOL also maintains a whole section on safety, security and privacy at keyword "scam" and the recent 1-800-Flowers.com scam is referenced there.
But it's not surprising that there are new scams being developed every day. The Federal Trade Commission has said that identity theft is the fastest growing crime in the United States.
Phishing expeditions (also known as spoofing) via spam are one of the best ways for criminals to get your personal data - by setting up bogus Web sites that look like those of legit retailers in an attempt to trick unwary consumers into giving up their credit card numbers, Social Security numbers, passwords, account logons, etc. Campaigns aimed at eBay and PayPal account holders, both of which are used extensively by small businesses, are among the most common.
This has become such a widespread occurrence that even my local Post Office has giant posters cautioning people about the dangers of identity theft. And whole new businesses are springing up because of this. My bank is now pitching me identity theft insurance -- $10,000 of protection for $12 a month, warning that "people with good credit" are often targets.
The FTC maintains an entire section of its Web site -- called ID theft home -- devoted to identity theft.
Interestingly, ID theft is so prevalent there are now sites like FightforMe.com advertising on Google, saying that "our identity theft defense lawyers can help" if you have been charged with such a crime.
For victims, there is the Identity Theft Resource Center, among a host of other resources.
The best advice of course is never to click through to a site in an e-mail message. If in doubt, call or e-mail the company that has your account, or check your billing status online.
Of course, never give out your personal information. I didn't give out any of mine, but I sure was tempted to click through to that Web site because the e-mail touched a chord in me specifically related to my business. And my business accounts and credit card info would be just as valuable to criminals as my personal data.
As Web savvy small business owner, it can be easy to let your guard down -- don't let it happen to you.